b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                       Service Operations Command Center\n                       Management Can Do More to Benefit\n                        From Implementing the Information\n                         Technology Infrastructure Library\n\n\n\n                                         August 16, 2011\n\n                              Reference Number: 2011-20-078\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | TIGTACommunications@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                   HIGHLIGHTS\n\n\nSERVICE OPERATIONS COMMAND                            incidents occurred because of problems with\nCENTER MANAGEMENT CAN DO MORE                         software and were resolved by performing a\nTO BENEFIT FROM IMPLEMENTING THE                      system reboot or stop/restart. TIGTA\nINFORMATION TECHNOLOGY                                determined that the SOCCB needs to examine\n                                                      incident reports to identify trends within the\nINFRASTRUCTURE LIBRARY\n                                                      information technology infrastructure, making its\n                                                      Problem Management activities proactive.\nHighlights                                            TIGTA also determined that SOCCB\n                                                      management did not conduct a baseline\nFinal Report Issued on August 16, 2011                assessment of SOCCB staffing and workload\n                                                      and does not have a documented strategic plan\nHighlights of Reference Number: 2011-20-078           to communicate its goals and priorities with\nto the Internal Revenue Service Chief                 milestone and target dates. In addition, the\nTechnology Officer.                                   current performance measures do not address\n                                                      whether work is performed efficiently and\nIMPACT ON TAXPAYERS                                   effectively.\nThe Enterprise Operations organization Service        WHAT TIGTA RECOMMENDED\nOperations Command Center Branch (SOCCB)\nexists in part to ensure that normal information      TIGTA recommended that the Associate Chief\ntechnology service operations are maintained for      Information Officer, Enterprise Operations,\nservers and mainframes by using the three             ensure that SOCCB management revises\nInformation Technology Infrastructure Library\xc2\xae        SOCCB procedures to address ticket trending,\n(ITIL) processes of Event Management, Incident        perform a staffing and workload analysis of the\nManagement, and Problem Management. If the            SOCCB, update the Enterprise Operations\nSOCCB does not effectively implement these            organization\xe2\x80\x99s strategic plan whenever a\nITIL best practices, service outages may not be       SOCCB ITIL best practice is required to support\naddressed efficiently and the Internal Revenue        the goals or objectives of the organization,\nService (IRS) will not be effectively utilizing       ensure development and execution of a training\ntaxpayer resources.                                   plan, and identify and implement additional ITIL\n                                                      performance measures.\nWHY TIGTA DID THE AUDIT\n                                                      In their response to the report, IRS officials\nThe overall objective of this review was to           agreed with all of the recommendations. The\ndetermine whether the SOCCB has effectively           IRS plans to revise procedures to account for\nimplemented ITIL best practices to ensure             trending activities of its incident tickets, perform\nservice delivery management for Enterprise            a staffing and workload analysis, update the\nOperations organization products and services.        Enterprise Operations strategic plan for Problem\n                                                      Management, develop and execute a training\nWHAT TIGTA FOUND\n                                                      plan, and identify and implement performance\nSOCCB management incorporated Event                   measures.\nManagement, Incident Management, and\nProblem Management best practices into\nSOCCB policies and procedures and daily\noperations. In addition, personnel resolved the\nmajority of incident tickets within the required\ntime periods.\nTIGTA analyzed the 312 Fiscal Year 2010\nincident tickets worked by the systems\nadministrators and computer support specialists\nand determined that 145 (46 percent) of the\ntickets pertained to three systems. Most of the\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                           August 16, 2011\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Service Operations Command Center\n                             Management Can Do More to Benefit From Implementing the\n                             Information Technology Infrastructure Library\n                             (Audit # 201020006)\n\n This report presents the results of our review to determine whether the Service Operations\n Command Center Branch has effectively implemented Information Technology Infrastructure\n Library\xc2\xae best practices to ensure service delivery management for Enterprise Operations\n products and services. This review was included in our Fiscal Year 2010 Annual Audit Plan and\n addresses the major management challenge of Modernization of the Internal Revenue Service.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix V.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. Please contact me at (202) 622-6510 if you have questions or\n Alan R. Duncan, Assistant Inspector General for Audit (Security and Information\n Technology Services), at (202) 622-5894.\n\x0c                                 Service Operations Command Center Management\n                                  Can Do More to Benefit From Implementing the\n                                   Information Technology Infrastructure Library\n\n\n\n\n                                             Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 3\n          Actions Have Been Taken to Implement Information\n          Technology Infrastructure Library Best Practices and\n          Provide Timely Service................................................................................. Page 3\n          Service Operations Command Center Branch\n          Management Can Do More to Become Proactive and\n          Closer to the Target State .............................................................................. Page 4\n                    Recommendation 1:........................................................ Page 7\n\n                    Recommendation 2:........................................................ Page 8\n\n          Additional Management Actions Are Needed to Ensure\n          Long-Term Success of the Service Operations Command\n          Center Branch ............................................................................................... Page 8\n                    Recommendations 3 through 5:......................................... Page 12\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 13\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 16\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 17\n          Appendix IV \xe2\x80\x93 Glossary of Terms ................................................................ Page 18\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ....................... Page 21\n\x0c        Service Operations Command Center Management\n         Can Do More to Benefit From Implementing the\n          Information Technology Infrastructure Library\n\n\n\n\n                 Abbreviations\n\nFY         Fiscal Year\nIRS        Internal Revenue Service\nITAMS      Information Technology Assets Management System\nITIL       Information Technology Infrastructure Library\xc2\xae\nMITS       Modernization and Information Technology Services\nRCA        Root Cause Analysis\nSOCCB      Service Operations Command Center Branch\n\x0c                               Service Operations Command Center Management\n                                Can Do More to Benefit From Implementing the\n                                 Information Technology Infrastructure Library\n\n\n\n\n                                               Background\n\nThe Enterprise Operations organization supports the Modernization and Information Technology\nServices (MITS) organization by providing efficient, cost effective, secure, and highly reliable\ncomputing (mainframe and server) services for all Internal Revenue Service (IRS) business\nentities and taxpayers. The Enterprise Operations organization has seven organizations that\nwork to fulfill this mission. One of the organizations, the Enterprise Computing Center,1 is\nresponsible for providing support for the systems used to receive and process tax returns and\npayments, all infrastructure servers enterprise-wide, and application servers located in the\n10 campuses and non-Enterprise Computing Center sites.\nThe Service Operations Command Center Branch (SOCCB) \xe2\x80\x93 also referred to as the Command\nCenter \xe2\x80\x93 falls under the purview of the Enterprise Computing Center and ensures that normal\ninformation technology service operations are maintained for mainframes and servers. The\nSOCCB consists of two sections:\n      \xe2\x80\xa2    Service Operations Command Center Section \xe2\x80\x93 employs 64 systems administrators and\n           computer support specialists to perform Event Management and Incident Management\n           activities on the IRS\xe2\x80\x99s mainframes and servers.\n      \xe2\x80\xa2    Service Operations Management Section \xe2\x80\x93 employs 11 information technology\n           specialists to perform Problem Management activities for the entire MITS organization\n           and to facilitate the Service Restoration Team\xe2\x80\x99s part of Incident Management.\nEvent Management, Incident Management, and Problem Management processes originate from a\nset of concepts and techniques called the Information Technology Infrastructure Library\xc2\xae (ITIL).\nThe ITIL provides a set of best practices for managing Information Technology services and\naims at delivering those services to satisfy the business requirements of the organization. The\nITIL also provides for a common set of terminology to be used between MITS organization\noperations, which helps increase customer service and reduce costs. Because the ITIL provides\ngeneral guidance for what to do rather than how to do it, it is often described as a framework or\napproach. Figure 1 synopsizes a timeline of events that SOCCB management highlighted\nregarding its accomplishments in standing up and implementing ITIL best practices over the last\n5 years.\n\n\n\n\n1\n    See Appendix IV for a glossary of terms.\n                                                                                            Page 1\n\x0c                         Service Operations Command Center Management\n                          Can Do More to Benefit From Implementing the\n                           Information Technology Infrastructure Library\n\n\n\n       Figure 1: Timeline of ITIL Best Practices Implementation at the SOCCB\n\n           Date                                           Highlighted Events\n October 1, 2006         The SOCCB stood up. The Service Restoration Team process and limited Root Cause\n                         Analysis (RCA) support was in place at stand-up.\n Fiscal Year (FY) 2007   SOCCB management negotiated a stand-up/reassignment agreement with the National\n                         Treasury Employees Union, solicited for volunteers to come to the SOCCB, and\n                         competitively announced/filled remaining vacancies.\n FY 2008                 The SOCCB represented being the first organization to their knowledge with employees\n                         outside of the Enterprise Computing Center\xe2\x80\x93Martinsburg supporting workloads (without\n                         increasing authorized staffing).\n May 2009                The SOCCB established the Knowledge Database.\n September 2009          The SOCCB completed migration of monitoring/triage/resolution for Priority 1/Priority 2\n                         service tickets for Enterprise Computing Center networked production servers.\n\n September 2010          The SOCCB completed migration of monitoring/triage/resolution for Priority 1/Priority 2\n                         service tickets for Enterprise Computing Center mainframe workloads.\n FY 2011                 The SOCCB implemented a process to ensure follow-up and Knowledge Database\n                         updates for all SOCCB tickets that have to be reassigned for lack of documentation.\n\nSource: SOCCB management .\n\nThis review was performed at the SOCCB locations in Martinsburg, West Virginia, and\nMemphis, Tennessee, during the period July 2010 through April 2011. We conducted this\nperformance audit in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objective. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objective. Detailed information on our audit objective, scope, and\nmethodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n                                                                                                        Page 2\n\x0c                            Service Operations Command Center Management\n                             Can Do More to Benefit From Implementing the\n                              Information Technology Infrastructure Library\n\n\n\n\n                                     Results of Review\n\nActions Have Been Taken to Implement Information Technology\nInfrastructure Library Best Practices and Provide Timely Service\n\nThe SOCCB updated its policies and procedures to incorporate ITIL best\npractices\nIn September 2010, the Chief Technology Officer outlined a goal to have the MITS organization\nimplement ITIL best practices over the next several years. The SOCCB has incorporated the\nITIL best practice principles of Event Management, Incident Management, and Problem\nManagement into its Concept of Operations and policies and procedures. In addition, the\nSOCCB has made these best practices a part of the way it does business by utilizing a\nKnowledge Database. This database provides personnel with the source for resolving incident\ntickets and is continually updated with new information.\n\nIncident ticket resolutions occur within documented service level agreement time\nperiods\nThe MITS organization service level agreement provides for a 4-hour response time on a\nPriority 1 ticket and an 8-hour response time on a Priority 2 ticket. Our analysis of Information\nTechnology Assets Management System (ITAMS) data showed that 3051 of the 312 tickets\nworked by Command Center personnel were resolved within the documented time periods.\nFigure 2 shows the average time to resolve these types of tickets.\n            Figure 2: Average Resolution Times for Priority 1 and 2 Tickets\n\n                         FY 2010                            Priority 1                Priority 2\n         Number of Tickets Received                             50                       262\n         Average Time to Resolve                       1 hour 39 minutes             55 minutes\n         Response Time Per Service Level                     4 hours                   8 hours\n         Agreement\n       Source: Our analysis of ITAMS data.\n\n\n\n1\n This excludes the Priority 1 and Priority 2 tickets considered Unscheduled Maintenance Requests and worked by\nan outside vendor.\n                                                                                                        Page 3\n\x0c                            Service Operations Command Center Management\n                             Can Do More to Benefit From Implementing the\n                              Information Technology Infrastructure Library\n\n\n\nWhile the SOCCB has implemented Event Management, Incident Management, and Problem\nManagement best practices into its environment, additional improvements are needed to show\ncontinued progress with and demonstrate efficiencies gained from implementing them.\n\nService Operations Command Center Branch Management Can Do\nMore to Become Proactive and Closer to the Target State\nWe reviewed the incident tickets worked by SOCCB personnel during FY 2010, the current staff\nsize within the SOCCB, and a recent independent contractor\xe2\x80\x99s ITIL assessment of the SOCCB\xe2\x80\x99s\nefforts to adopt ITIL best practices in evaluating whether the SOCCB is moving closer to the\ntarget state. Our analyses found that SOCCB management can improve the following activities\nto help them become more proactive.\n\nCommand Center Section personnel should examine incident reports to identify\ntrends within the information technology infrastructure\nWe analyzed the 312 FY 2010 incident tickets worked by the systems administrators and the\ncomputer support specialists looking for trends among the project type, cause of the incident, and\nhow the incident was resolved. Figure 3 shows that 145 (46 percent) of the tickets pertained to\n3 systems. Most of the incidents occurred because of problems with software (e.g., system,\nserver, or application) and were resolved by performing a system reboot or stop/restart.\n                   Figure 3: Top Three Causes and Most Common Resolution\n                           of Incident Tickets by System Name\n\n                                  # of Incident                                      Most Common\n             System Name             Tickets       Top Three Ticket Causes            Resolution\n     Account Management                63         Application Software (28)    Stop/Restart and Reboot\n     Services                                     System Error2 (8)\n                                                  No Trouble Found (8)\n     E-Services                        53         Unknown (18)                 Reboot\n                                                  Application Software (12)\n                                                  Other3 (10)\n     Totally Automated                 29         System Error (22)            Stop/Restart and Reboot\n     Personnel System                             Application Software (3)\n                                                  Server Software (3)\n     Total                             145\n    Source: Our analysis of ITAMS data.\n\n2\n SOCCB management described a system error as one that occurs due to a problem with the service software suite.\n3\n SOCCB management indicated this cause code is used synonymously with \xe2\x80\x9cUnknown\xe2\x80\x9d (i.e., the employee could\nnot identify what caused the incident ticket to occur).\n                                                                                                         Page 4\n\x0c                        Service Operations Command Center Management\n                         Can Do More to Benefit From Implementing the\n                          Information Technology Infrastructure Library\n\n\n\nWhen asked to provide details about the incident ticket trends we observed, SOCCB\nmanagement explained that the high volume of tickets for Account Management Services\noccurred partly because of a new release of the system for which Command Center personnel\nhad to perform the work. In addition, Account Management Services generally has the most\nusers, thus increasing the likelihood for generating more incident tickets. SOCCB management\nalso described e-Services as a complex system requiring a MITS-wide approach to resolution,\nwhile simultaneously implementing workarounds (e.g., reboots) to minimize impact to the\ncustomer until the underlying root cause was addressed.\nAccording to ITIL foundations, Problem Management is both a reactive and proactive process.\nReactive means solving problems uncovered by Incident Management or other sources, whereas\nproactive means looking for potential problems before they are reported as an incident. The\nOperations Management Section of the SOCCB conducts RCAs to facilitate its Problem\nManagement activities and mitigate the impact of system downtime/lost productivity by\nidentifying the root cause, a workaround, and ultimately a permanent solution. However, the\ncurrent RCA process performed by the Operations Management Section is reactive and only\nperformed if requested by an internal MITS organization stakeholder or if directed by an IRS\nexecutive.\nReviewing incident ticket data to discover the types of problems that occur more frequently can\nhelp the SOCCB identify problems that may occur in other places within the IRS\xe2\x80\x99s information\ntechnology infrastructure, as well as show that repeated failures have not been adequately\nresolved and are likely to continue to occur. This move towards proactive Problem Management\nwill help the SOCCB improve its overall effectiveness by posturing itself to identify problems\nbefore they occur and result in outages or lost productivity to its customers.\nFigure 4 shows a recent ITIL assessment completed by an independent contractor that identified\nthe current and target state for each SOCCB ITIL best practice. The independent contractor\xe2\x80\x99s\nassessment supports our observations that the current state of Problem Management activities\nwithin the SOCCB is reactive and notes the desired target state of trending incidents as part of\nproactive Problem Management.\n\n\n\n\n                                                                                          Page 5\n\x0c                           Service Operations Command Center Management\n                            Can Do More to Benefit From Implementing the\n                             Information Technology Infrastructure Library\n\n\n\n         Figure 4: Current and Future State of ITIL Best Practices at the SOCCB\n\n        Best Practice                      Current State                                  Target State\n    Event Management       The SOCCB reacts to and investigates          The SOCCB resolves events before user\n                           service outages after they have been          notices/reports problem.\n                           reported.\n                                                                         Correlate repeat events to provide for\n                           Some events automatically create incident     additional automatic escalation to an\n                           tickets.                                      incident.\n    Incident Management    All incidents are logged and tracked.         Incidents proactively tracked and\n                                                                         escalated to ensure service level\n                           Basic service level agreements are in place\n                                                                         agreements are met.\n                           to monitor resolution.\n    Problem Management     The bulk of problem resolution is             Trend incidents to create problems on an\n                           recurring incident-based as opposed to        ongoing basis.\n                           proactive Problem Management.\n                                                                         Report incident trends and resolutions\n                                                                         through proactive management.\nSource: Enterprise Operations organization, ITIL Maturity Assessment dated September 30, 2010.\n\nThe Government Accountability Office\xe2\x80\x99s Internal Control Management and Evaluation Tool4\nexplains that managers at all activity levels should review performance reports, measure results\nagainst targets, and analyze trends.\nSOCCB management stated they currently do not have sufficient staffing in the Operations\nManagement Section to move more toward proactively identifying recurring incidents and\ncreating RCA tickets that will identify why problems occur and provide a permanent solution.\nTo address the staffing issue, Enterprise Operations organization management negotiated the\ntransfer of vacant positions from other MITS organization programs to help perform this kind of\nwork.\n\nSOCCB management needs to baseline their staffing with workload\nThe SOCCB formally stood up in FY 2007, with approximately 25 personnel operating in a\n24 hours a day, 7 days a week, 365 days a year environment. At that time, SOCCB management\nsubmitted a request for organization change indicating that a total of 92 personnel (systems\nadministrators, information technology specialists, and customer support specialists) were\nneeded to support program activities. As of July 2010, the SOCCB employed 75 personnel to\nhandle Event Management, Incident Management, and Problem Management activities.\nThe 64 systems administrators and computer support specialists (which handle Event and\nIncident Management) support three different workloads split between mainframes and servers.\nAccording to SOCCB management, there are more than 3,300 servers and 15 different\n\n4\n    GAO-01-1008G, dated August 2001.\n                                                                                                             Page 6\n\x0c                              Service Operations Command Center Management\n                               Can Do More to Benefit From Implementing the\n                                Information Technology Infrastructure Library\n\n\n\nmainframes that require monitoring. During FY 2010, these personnel resolved 312 incident\ntickets (an average of 5 tickets per employee), updated the Knowledge Database, performed\nevent monitoring activities, and reviewed and updated more than 700 Probe and Response\nguides. According to SOCCB management, these personnel also assist with other work\n(e.g., communicating with stakeholders regarding changes to monitoring thresholds) that\nsupports Event and Incident Management activities. SOCCB management also indicated that the\namount of time spent per activity varies based on the task/situation.\nAccording to industry expert Gartner Group,5 \xe2\x80\x9cdeveloping a portfolio of standardized\ninformation technology services with repeatable process methodologies for service delivery and\nsupport will help information technology organizations improve information technology service\nquality, reduce costs, and increase business value and agility,\xe2\x80\x9d and \xe2\x80\x9ca cost-effective information\ntechnology organization can do more with less \xe2\x80\x93 or at least do more with the same.\xe2\x80\x9d\nOne way for an organization to measure its success and know if it is \xe2\x80\x9cdoing more with less\xe2\x80\x9d is to\nperform a staffing and workload analysis. When the SOCCB stood up in FY 2007, it did not\ninitially baseline its staffing needs against its workload, and it has yet to perform a staffing and\nworkload analysis. Having this information readily available will allow SOCCB management to\ndemonstrate to upper management the direct relationship between staffing and support levels and\nthe impact any reductions or increases in staffing might have on service levels.\nManagement\xe2\x80\x99s Responsibility for Internal Control (Office of Management and Budget\nCircular A-123) states that managers are responsible for increasing productivity and controlling\ncosts of agency operations. The Government Accountability Office\xe2\x80\x99s Standards for Internal\nControl in the Federal Government6 stipulates that program managers need both operational and\nfinancial data to determine whether they are meeting their goals for effective and efficient use of\nresources.\n\nRecommendations\nThe Associate Chief Information Officer, Enterprise Operations, should:\nRecommendation 1: Ensure SOCCB management revises SOCCB standard operating\nprocedures to account for MITS-wide trending activities of its incident tickets to help identify\nrepeat occurrences of incidents that can be used to proactively address problems, increase\nefficiency, and result in fewer repeat incidents in the future.\n           Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The SOCCB\n           has completed the hiring of the additional Problem Management staff, and all were\n\n\n\n5\n    IT Infrastructure and Operations Leaders Key Initiative: ITIL and Process Improvement, dated January 16, 2009.\n6\n    GAO/AIMD-00-21.3.1, dated November 1999.\n                                                                                                           Page 7\n\x0c                               Service Operations Command Center Management\n                                Can Do More to Benefit From Implementing the\n                                 Information Technology Infrastructure Library\n\n\n\n           onboard on June 19, 2011. The SOCCB will revise the standard operating procedures to\n           account for MITS-wide trending activities of its incident tickets.\nRecommendation 2: Perform a staffing and workload analysis of the SOCCB to demonstrate\nthe relationship between staffing and service levels and help identify opportunities to improve\ninformation technology service quality, reduce costs, and increase business value.\n           Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. Currently,\n           the SOCCB has the minimum staff per each work specialty and, due to budgetary,\n           National Treasury Employees Union, and Labor Relations constraints, is unable to make\n           any adjustments to the staffing model. However, the SOCCB will perform a staffing and\n           workload analysis to determine the relationship between staffing and service levels and\n           help identify opportunities to improve information technology service quality, reduce\n           costs, and increase business value in anticipation of the ability to acquire or adjust\n           resources.\n\nAdditional Management Actions Are Needed to Ensure Long-Term\nSuccess of the Service Operations Command Center Branch\nWe reviewed the organizational goals, personnel training history, and currently established\nperformance measures to evaluate whether the SOCCB can effectively and efficiently\naccomplish its mission. Our review found that SOCCB management can make improvements in\nthe following areas to help ensure future program success.\n\nThe SOCCB needs a strategic plan and vision for maturing the implementation of\nthe ITIL best practices\nAlthough SOCCB management has incorporated the ITIL best practice principles of Event\nManagement, Incident Management, and Problem Management into SOCCB daily operations\nand updated its policies and procedures, they have not documented any milestones leading to\nmaturing these best practices or long-range goals that will show the intended benefits. SOCCB\nmanagement has been more focused on getting policies and procedures updated and responding\nto new workload requests versus documenting a baseline organization, vision for the future, and\na plan to show how they will attain their future vision. SOCCB management has developed an\naction plan for when they transition new work, but the plan does not show specific time periods\nassociated with completing the transition (of planned new workloads) or the desired outcomes of\nthe transition efforts to include how those efforts will help the SOCCB most efficiently and\neffectively leverage and mature implementation of ITIL best practices.\nThe first quarter FY 2011 version of the Enterprise Operations organization\xe2\x80\x99s 5-year strategic\nplan,7 which SOCCB management provides input to, contains two objectives and goals regarding\n\n7\n    Enterprise Operations organization management reviews and updates its strategic plan quarterly.\n                                                                                                      Page 8\n\x0c                              Service Operations Command Center Management\n                               Can Do More to Benefit From Implementing the\n                                Information Technology Infrastructure Library\n\n\n\nthe ITIL. To support the objective of improving filing season execution, the strategic plan states\na goal of continuously improving service to customers and identifies that the SOCCB will\nexpand its Problem Management activities. However, the strategic plan does not contain any\nmilestones or target dates for the expansion, disclosing that these actions are pending the\nadditional resources negotiated from the other MITS organizations. In addition, the strategic\nplan states another goal of delivering improved business capabilities and governance, identifying\nthat building the foundation of the ITIL will help strengthen program management capabilities\nand accountability. The strategic plan does not contain a description of what this means, reflect\nany milestones or target dates, or provide a list of anticipated benefits.\nAccording to industry best practices, to be successful in the ITIL, a deliberate, well-planned\nproject management approach should be adopted. Key activities in this approach include\ncreating an overall vision and strategy, developing a project plan and managing it effectively,\nand assigning accountability for desired outcomes. A strategic plan outlines an organization\xe2\x80\x99s\npriorities and communicates to employees, internal stakeholders, and external stakeholders how\nit plans to accomplish those priorities. Without a documented plan and strategy for maturing\nITIL best practices relevant to the SOCCB, it will be difficult for management to demonstrate\ntheir efforts to make Command Center processes more efficient and influence decisions among\ntheir stakeholders.\n\nPersonnel need customized training to effectively implement the ITIL\nIn our review of the training records, we determined 44 of 50 SOCCB personnel that received\nITIL training completed an ITIL foundations course. The foundations course is an entry-level\ncourse designed to provide candidates with a general awareness of the key elements, concepts,\nand terminology used in the ITIL. We also determined that almost 90 percent (44 of 50) of the\nSOCCB personnel received training from 2 years to 4 years ago (during Calendar Years 2006\nthrough 2008). In addition, some personnel completed training in an ITIL best practice area\n(e.g., financial and security management, service level, and capacity management) that did not\nalign with the specific work completed by the SOCCB. According to SOCCB management, this\ntraining was completed as part of mandatory annual Federal Information Security Management\nAct8 security training requirements.\nIndustry best practices require that ITIL training be customized to suit individual roles and\nresponsibilities. SOCCB management previously expressed concerns about their ability to fund\nITIL training for their personnel, and this might explain why a formal training plan has not been\ndeveloped and implemented. Creating and executing a training plan will allow SOCCB\nmanagement to ensure that their personnel consistently remain a valuable part of a highly skilled\nand high-performing workforce to support the SOCCB and IRS missions.\n\n\n\n8\n    44 U.S.C. Sections 3541 \xe2\x80\x93 3549.\n                                                                                           Page 9\n\x0c                            Service Operations Command Center Management\n                             Can Do More to Benefit From Implementing the\n                              Information Technology Infrastructure Library\n\n\n\nAdditional measures are needed to capture the improved efficiency and\neffectiveness resulting from ITIL implementation\nThe SOCCB workload primarily consists of monitoring operations and working incident tickets.\nAn incident ticket is routed to systems administrators or computer support specialists by one of\nthree methods: 1) a user calls in a ticket, 2) the ITAMS generates a ticket, or 3) the Command\nCenter receives an alert announcing, for example, that a server is going down. An alert is\ndesigned to prevent/minimize a work stoppage. When the SOCCB receives a ticket, personnel\nwill search for a resolution via the Knowledge Database. Generally, systems administrators and\ncomputer support specialists have 30 minutes to close and/or reassign an incident ticket before it\nis elevated to a subject matter expert.\nCurrently, SOCCB management has established the following goals to measure SOCCB\nperformance each fiscal year:\n    \xe2\x80\xa2   Tickets Opened for Errors Recognized Through Event Management. Goal: 20 percent\n        increase by 4th quarter (compared to 1st quarter).\n    \xe2\x80\xa2   Probe and Responses Updated to Reflect the SOCCB as the Primary Assignment Group\n        for Priority 1 and 2 Tickets. Goal: 100 percent for Enterprise Computing Center\n        networked servers.\n    \xe2\x80\xa2   Number of Priority Tickets Triaged/Closed. Goal: 80 percent worked/closed without\n        reassignment.\nHowever, the first 2 of the 3 measures are broad goals that do not address whether the work is\nperformed efficiently [i.e., work completed within reported time periods (e.g., number and\npercentage of tickets resolved in 30 minutes)] or effectively (i.e., quality resolutions or\nnonrecurrence of problems). In addition, none of the current measures allow SOCCB\nmanagement to track continuous improvements, and there are no measures to ensure that the\nSOCCB is meeting its RCA goals.9\nIndustry best practices emphasize that identifying the appropriate measures, creating a process\nfor collecting and analyzing the data, and effectively using the data to guide and direct continued\nimprovement are essential to establishing a successful measurement process. Meaningful key\nperformance indicators should align with organizational goals and provide insight into the\nfollowing:\n    \xe2\x80\xa2   Quality \xe2\x80\x93 How well is the process working?\n    \xe2\x80\xa2   Efficiency \xe2\x80\x93 Is the throughput of the process sufficient?\n\n\n\n9\n  The goals include mitigating the impact of system downtime/lost productivity and preventing the recurrence of\nincidents.\n                                                                                                          Page 10\n\x0c                          Service Operations Command Center Management\n                           Can Do More to Benefit From Implementing the\n                            Information Technology Infrastructure Library\n\n\n\n   \xe2\x80\xa2   Compliance \xe2\x80\x93 Is the process being followed?\n   \xe2\x80\xa2   Value \xe2\x80\x93 Are we doing what we are supposed to be doing?\nAlso, metrics should be specific, measurable, attainable, realistic, and time driven. Metrics help\nto ensure that the process in question is running effectively and efficiently.\nFigure 5 shows the SOCCB experienced declines in each of its measures from FY 2009 to\nFY 2010.\n                 Figure 5: Comparison of FYs 2009 and 2010 Measures\n\n          Goal/Measure                                    FY 2009           FY 2010\n          Tickets Opened for Errors                        9,432              8,241\n          Through Event Management\n          Probe and Response Guide                          140                 71\n          Changed\n          Priority Tickets Closed                          86%                69%\n          Source: Enterprise Computing Center web site.\n\nWhen asked about the decline in the percentage of priority tickets closed, SOCCB management\nattributed this to the types of tickets the SOCCB received during the later months of the fiscal\nyear, introduction of a new workload, and more complete ticket reporting.\nA September 2010 independent contractor assessment of the ITIL within the Enterprise\nOperations organization also identified additional performance measures that will allow the\nSOCCB to ensure it makes progress in achieving its future state.\nAccording to SOCCB management, there is limited staffing available to perform ticket trending\nthat would lead to identifying new performance measures to implement. There is currently only\none person available to do any ticket trending, and this individual has other duties to perform\nwithin the SOCCB. Another reason why SOCCB management has not implemented additional\nmeasures is because of an initiative to improve the accuracy of ITAMS incident ticket data. The\nCustomer Relationship and Service Delivery staff began this process in summer 2009 by training\nits staff on ticket accuracy and in fall 2009 targeted Priorities 1 and 2 tickets to ensure the\naccuracy of the data input into key fields (e.g., ticket start time, ticket stop time, and cause code).\nWithout effective measures to demonstrate continued improvements and quantify cost savings\nresulting from implementing new processes, like the ITIL, the SOCCB is at risk of being unable\nto fully support the MITS organization in its efforts to effectively reallocate operational savings\nto program enhancements.\n\n\n\n                                                                                               Page 11\n\x0c                        Service Operations Command Center Management\n                         Can Do More to Benefit From Implementing the\n                          Information Technology Infrastructure Library\n\n\n\nRecommendations\nThe Associate Chief Information Officer, Enterprise Operations, should:\nRecommendation 3: Update the Enterprise Operations organization strategic plan whenever\nan SOCCB ITIL best practice is required to support the goals or objectives of the organization.\nThe update needs to address the goals, as well as milestone and target dates, completion dates,\nbenefits, and any associated risks.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The SOCCB\n       will update the Enterprise Operations strategic plan for Problem Management whenever\n       an SOCCB ITIL best practice is required to support the goals or objectives of the\n       organization.\nRecommendation 4: Ensure SOCCB management develops and executes a training plan to\nensure personnel continue to receive customized training in ITIL best practices relevant to the\nCommand Center.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The SOCCB\n       will develop and execute a training plan to ensure personnel continue to receive\n       customized training in ITIL best practices relevant to the Command Center. The training\n       plan will be based on available online courses and other courses as budget constraints\n       allow.\nRecommendation 5: Identify and implement performance measures that will demonstrate the\nefficiencies and effectiveness of implementing Event Management, Incident Management, and\nProblem Management.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The SOCCB\n       will identify and implement performance measures that will demonstrate the efficiencies\n       and effectiveness of implementing Event Management, Incident Management, and\n       Problem Management.\n\n\n\n\n                                                                                         Page 12\n\x0c                           Service Operations Command Center Management\n                            Can Do More to Benefit From Implementing the\n                             Information Technology Infrastructure Library\n\n\n\n                                                                                            Appendix I\n\n         Detailed Objective, Scope, and Methodology\n\nOur overall objective was to determine whether the SOCCB had effectively implemented\nITIL1 best practices to ensure service delivery management for Enterprise Operations products\nand services. In prior audits,2 our overall assessment has been that ITAMS data are of\nundetermined reliability. However, in our opinion, using these data did not weaken our analysis\nor lead to an incorrect or unintentional message. Prior audit reports included language that\nclearly stated the data limitations. To accomplish our objective, we:\nI.      Reviewed SOCCB program management controls over ITIL implementation.\n        A. Interviewed management to obtain their understanding of ITIL best practices, how\n           they communicated to employees and stakeholders regarding implementation of the\n           ITIL, and the training provided to employees.\n        B. Reviewed standard operating procedures, the Internal Revenue Manual, and the\n           Concept of Operations to determine whether SOCCB policies and procedures were\n           updated to reflect ITIL best practices. In addition, we reviewed documentation which\n           showed what benefits the SOCCB expected to accomplish by implementing the ITIL.\n        C. Evaluated the process the SOCCB has in place to ensure continuous improvements\n           and whether those improvements are delivered.\nII.     Determined whether the SOCCB is performing its Event Management, Incident\n        Management, and Problem Management functions in accordance with the ITIL.\n        A. Reviewed Event Management statistics maintained on the Enterprise Computing\n           Center web site and interviewed SOCCB management about Event Management\n           activities.\n        B. Determined the maturity/status of the SOCCB\xe2\x80\x99s Incident Management activities.\n            1. Analyzed all 312 FY 2010 Priority 1 and Priority 2 tickets obtained from SOCCB\n               management and the ITAMS to identify average ticket resolution time.\n\n1\n See Appendix IV for glossary of terms.\n2\n Management Advisory Report: Review of Lost or Stolen Sensitive Items of Inventory at the Internal Revenue\nService (Reference Number 2002-10-030, dated November 29, 2001), Progress Has Been Made in Using the Tivoli\xc2\xae\nSoftware Suite, Although Enhancements Are Needed to Better Distribute Software Updates and Reconcile Computer\nInventories (Reference Number 2006-20-021, dated December 14, 2005), and Management Practices Over End-user\nComputer Server Storage Need Improvement to Ensure Effective and Efficient Storage Utilization (Reference\nNumber 2007-20-103, dated July 3, 2007).\n                                                                                                    Page 13\n\x0c                       Service Operations Command Center Management\n                        Can Do More to Benefit From Implementing the\n                         Information Technology Infrastructure Library\n\n\n\n           2. Interviewed Customer Relationship and Service Delivery function management\n              about the reports it generates for the SOCCB.\n           3. Using the ITAMS, selected a judgmental sample of 20 from 97 Priority 1 and\n              Priority 2 tickets resolved during FY 2010 and traced them to the Knowledge\n              Database to ensure it was updated. We selected tickets from those systems that\n              had a higher volume of reported incidents (e.g., Account Management Services,\n              Eservices, and the Totally Automated Personnel System) and for which the causes\n              of the incidents included System Error, Unknown, or Application Software. We\n              used judgmental sampling because we did not intend to project our results.\n       C. Interviewed SOCCB management about their Problem Management activities.\n       D. Reviewed policies and procedures that define how the SOCCB adds new services and\n          applications to its workload.\nIII.   Determined whether the SOCCB is monitoring and measuring program performance in\n       accordance with the ITIL.\n       A. Interviewed management to determine how they monitored and measured program\n          performance for FY 2010. We determined how and when results are communicated\n          to employees and stakeholders.\n       B. Compared SOCCB measures to determine whether they align with Enterprise\n          Operations organization goals.\n       C. Identified the long-range goals that management envisions will show progress in\n          SOCCB operations based on ITIL implementation.\n       D. Identified the type of quality review process performed and how that information\n          influences overall performance.\n       E. Determined whether SOCCB management performs any trend analyses of\n          performance metrics to ensure repeat incidents have been identified and resolved.\n       F. Evaluated how SOCCB management quantifies the efficiencies they gain through\n          proactive monitoring (i.e., cost savings).\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: the MITS organization\xe2\x80\x99s policies and\nprocedures for implementing an effective SOCCB to address the critical issues of addressing\nservice outages efficiently and utilizing taxpayer resources effectively. We evaluated these\n\n                                                                                        Page 14\n\x0c                             Service Operations Command Center Management\n                              Can Do More to Benefit From Implementing the\n                               Information Technology Infrastructure Library\n\n\n\ncontrols by interviewing management and reviewing policies and procedures, such as the\nInternal Revenue Manual, Federal guidance such as the Clinger-Cohen Act of 1996,3 and Office\nof Management and Budget Circulars and relevant supporting documentation.\n\n\n\n\n3\n Pub. L. No. 104-106, 110 Stat. 642 (codified in scattered sections of 5 U.S.C., 5 U.S.C. app., 10 U.S.C., 15 U.S.C.,\n16 U.S.C., 18 U.S.C., 22 U.S.C., 28 U.S.C., 29 U.S.C., 31 U.S.C., 38 U.S.C., 40 U.S.C., 41 U.S.C., 42 U.S.C.,\n44 U.S.C., 49 U.S.C., 50 U.S.C.).\n                                                                                                            Page 15\n\x0c                       Service Operations Command Center Management\n                        Can Do More to Benefit From Implementing the\n                         Information Technology Infrastructure Library\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nDanny Verneuille, Director\nDiana Tengesdal, Audit Manager\nMark Carder, Senior Auditor\nMyron Gulley, Senior Auditor\nAllen Henry, Program Analyst\nSarah White, Program Analyst\n\n\n\n\n                                                                                     Page 16\n\x0c                      Service Operations Command Center Management\n                       Can Do More to Benefit From Implementing the\n                        Information Technology Infrastructure Library\n\n\n\n                                                                       Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Chief Information Officer for Operations OS:CTO\nAssociate Chief Information Officer, Enterprise Operations OS:CTO:EO\nAssociate Chief Information Officer, Strategy and Planning OS:CTO:SP\nDirector, Enterprise Computing Center OS:CTO:EO:EC\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                             Page 17\n\x0c                        Service Operations Command Center Management\n                         Can Do More to Benefit From Implementing the\n                          Information Technology Infrastructure Library\n\n\n\n                                                                               Appendix IV\n\n                              Glossary of Terms\n\n             Term                                         Definition\nAccount Management Services    A project that will modernize the capability to collect, view,\n                               retrieve, and manage taxpayer information.\n\nBest Practice                  A technique or methodology that, through experience and\n                               research, has proven to reliably lead to a desired result.\n\nCampus                         The data processing arm of the IRS. The campuses process\n                               paper and electronic submissions, correct errors, and forward\n                               data to the Computing Centers for analysis and posting to\n                               taxpayer accounts.\n\nComputer Support Specialist    Position within the SOCCB whose duties include monitoring\n                               the mainframes.\n\nConcept of Operations          A framework that includes a defined vision, strategic goals,\n                               operational themes, and program capabilities. It identifies key\n                               organizational concepts required to achieve the organization\xe2\x80\x99s\n                               vision.\n\nE-Services                     Provides a set of web-based business products as incentives to\n                               third parties to increase electronic filing, in addition to\n                               providing electronic customer account management\n                               capabilities to all businesses, individuals, and other customers.\n\nEnterprise Computing Center    Supports tax processing and information management through\n                               a data processing and telecommunications infrastructure.\n\nEvent Management               The first line of defense for preventing an interruption to or\n                               reduction in the quality of service. Event monitoring is used\n                               to sustain and improve quality service, identify significant\n                               events and initiate actions before an incident occurs, and\n                               automate the process.\n\n\n\n                                                                                        Page 18\n\x0c                      Service Operations Command Center Management\n                       Can Do More to Benefit From Implementing the\n                        Information Technology Infrastructure Library\n\n\n\n             Term                                        Definition\n\nIncident Management          The process for managing incidents with the goal of restoring\n                             service as quickly as possible and minimizing the adverse\n                             impact on the customer.\n\nInformation Technology       The workflow tool for all MITS organization service\nAssets Management System     providers. This module reports and tracks all MITS\n                             organization incidents and service requests.\n\nInformation Technology       A set of concepts and techniques for managing information\nInfrastructure Library\xc2\xae      technology infrastructure, development, and operations.\n\nMainframe                    A powerful, multiuser computer capable of supporting many\n                             hundreds of thousands of users simultaneously.\n\nPriority 1 Ticket            An incident ticket exhibiting the following characteristics:\n                             1) resulting in severe mission-critical work stoppage or any\n                             issue relating to safety or health (e.g., fire, electrical shock),\n                             2) impacting on vital IRS customer commitments of national\n                             or area-wide scope, 3) affecting multiple internal or external\n                             customers and service to taxpayers, and 4) requiring\n                             immediate action.\n\nPriority 2 Ticket            An incident ticket with the potential to result in a work\n                             stoppage (could have a direct impact on the service to\n                             taxpayers or if scope is multi-user and there is no\n                             work-around) and/or to lead to severe mission-critical work\n                             stoppage if actions are not taken to resolve incident.\n\nProbe and Response           Provides information for enhanced triage, first contact\n                             resolution, timely incident assignment, standard incident\n                             coding, and resolution solutions.\n\nProblem Management           Consists of performing an RCA to mitigate the impact of\n                             system downtime/lost productivity caused by errors in the\n                             information technology infrastructure and to prevent the\n                             recurrence of events.\n\nRelease                      A specific edition of software.\n\n\n                                                                                         Page 19\n\x0c                        Service Operations Command Center Management\n                         Can Do More to Benefit From Implementing the\n                          Information Technology Infrastructure Library\n\n\n\n           Term                                           Definition\n\nServer                         A computer that carries out specific functions (e.g., a file\n                               server stores files, a print server manages printers, and a\n                               network server stores and manages network traffic).\n\nService Level Agreement        A document that describes the minimum performance criteria\n                               a provider promises to meet while delivering a service,\n                               typically also setting out the remedial action and any penalties\n                               that will take effect if performance falls below the promised\n                               standard.\n\nService Restoration Team       A group of individuals who work to rapidly escalate,\n                               coordinate, and resolve Priority 1 or Priority 2 outages. The\n                               team can leverage resources from outside the Enterprise\n                               Computing Center to assist with restoration activities.\n\nSystems Administrator          Position within the SOCCB whose duties include monitoring\n                               Enterprise Computing Center networked production servers as\n                               well as participating in RCA and Service Restoration Team\n                               efforts.\n\nTotally Automated Personnel    Automated personnel system used by management for\nSystem                         processing requests for personnel actions, as well as employee\n                               information report generation.\n\nTriage                         Refers to the analysis work that determines the priority of\n                               computer applications that need to be remediated.\n\n\n\n\n                                                                                         Page 20\n\x0c        Service Operations Command Center Management\n         Can Do More to Benefit From Implementing the\n          Information Technology Infrastructure Library\n\n\n\n                                                  Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                          Page 21\n\x0cService Operations Command Center Management\n Can Do More to Benefit From Implementing the\n  Information Technology Infrastructure Library\n\n\n\n\n                                                  Page 22\n\x0cService Operations Command Center Management\n Can Do More to Benefit From Implementing the\n  Information Technology Infrastructure Library\n\n\n\n\n                                                  Page 23\n\x0cService Operations Command Center Management\n Can Do More to Benefit From Implementing the\n  Information Technology Infrastructure Library\n\n\n\n\n                                                  Page 24\n\x0c'